Unbounded Memory Allocation Vulnerability in OpenTelemetry .NET Exporter by OpenTelemetry
CVE-2026-41484

5.3MEDIUM

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-dotnet-contrib
Vendor: CVE Published:; 6 May 2026

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2026-41484?

The OpenTelemetry.Exporter.OneCollector for .NET is susceptible to a vulnerability due to its handling of HTTP error responses. In versions up to 1.15.0, the HttpJsonPostTransport class reads the entire response body from the configured back-end, regardless of the size, when an HTTP 4xx or 5xx error occurs. This allows an attacker controlling the endpoint, or intercepting network traffic, to send excessively large responses, resulting in unbounded heap memory allocation. Such conditions can lead to significant memory pressure within the application, causing garbage collection stalls or even an OutOfMemoryException that can crash the application. To mitigate this issue, implementing strict network-level controls like firewalls or mTLS is advised. The vulnerability has been addressed in version 1.15.1, which restricts error response bodies to a maximum of 4 MiB.

Affected Version(s)

opentelemetry-dotnet-contrib <= 1.15.0

References

https://github.com/open-telemetry/opentelemetry-dotnet-co...

x_refsource_CONFIRM

https://github.com/open-telemetry/opentelemetry-dotnet-co...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41484 Data

JSON